diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index dabe8f665..59de0024a 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -47,7 +47,7 @@ on: required: true type: string upload-assets: - description: "Whether to upload assets to a GitHub release or not." + description: "If true provenance is uploaded to a GitHub release for new tags." required: false type: boolean default: true @@ -61,7 +61,7 @@ on: required: false type: string compile-builder: - description: "Build the builder from source. This increases build time by ~2mn." + description: "Build the builder from source. This increases build time by ~2m." required: false type: boolean default: false @@ -181,7 +181,7 @@ jobs: go-version: ${{ inputs.go-version }} - name: Download builder - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0 + uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 with: name: "${{ env.BUILDER_BINARY }}" @@ -241,7 +241,7 @@ jobs: go-version: ${{ inputs.go-version }} - name: Download builder - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0 + uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 with: name: "${{ env.BUILDER_BINARY }}" @@ -328,7 +328,7 @@ jobs: needs: [build, build-dry] steps: - name: Download generated binary - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0 + uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 with: name: "${{ env.GENERATED_BINARY_NAME }}" @@ -373,7 +373,7 @@ jobs: go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }} steps: - name: Download builder - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0 + uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 with: name: "${{ env.BUILDER_BINARY }}" @@ -439,7 +439,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true steps: # Verify binary hash. - - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 with: name: ${{ needs.build-dry.outputs.go-binary-name }} - name: Verify binary hash @@ -458,7 +458,7 @@ jobs: echo "$UNTRUSTED_BINARY_HASH $UNTRUSTED_BINARY_NAME" | sha256sum --strict --check --status || exit -2 # Verify provenance hash. - - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0. with: name: ${{ needs.provenance.outputs.go-provenance-name }} - name: Verify provenance hash diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index e35e4d0fa..f2f05cfc0 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -30,11 +30,6 @@ env: VERIFIER_RELEASE_BINARY_SHA256: 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd VERIFIER_RELEASE: v1.1.1 -################################################################### -# # -# Input and output argument definitions # -# # -################################################################### on: workflow_call: inputs: @@ -42,17 +37,27 @@ on: description: "Artifacts for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\\n[...]) and base64 encoded." required: true type: string + upload-to-release: + description: "If true provenance is uploaded to a GitHub release for new tags." + required: false + type: boolean + default: true compile-generator: - description: "Build the generator from source. This increases build time by ~2mn." + description: "Build the generator from source. This increases build time by ~2m." required: false type: boolean default: false outputs: + release-id: + description: "The name of the release where provenance was uploaded." + value: ${{ jobs.create-release.outputs.release-id }} attestation-name: description: "The artifact name of the signed provenance" value: ${{ jobs.generator.outputs.attestation-name }} jobs: + # detect-env detects the reusable workflow's repository and ref for use later + # in the workflow. detect-env: outputs: repository: ${{ steps.detect.outputs.repository }} @@ -65,14 +70,19 @@ jobs: id: detect uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@d995948e8d53cc639c0d3ef69db31dbc243519c4 - ################################################################### - # # - # Build the generator # - # # - ################################################################### + # generator builds the generator binary and runs it to generate SLSA + # provenance. + # + # If `compile-generator` is true then the generator is compiled + # from source at the ref detected by `detect-env`. + # + # If `compile-generator` is false, then the generator binary is downloaded + # with the release at the ref detected by `detect-env`. This must be a tag + # reference. generator: outputs: attestation-name: ${{ steps.sign-prov.outputs.attestation-name }} + attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }} runs-on: ubuntu-latest needs: [detect-env] permissions: @@ -133,8 +143,11 @@ jobs: set -euo pipefail # Create and sign provenance # This sets attestation-name to the name of the signed DSSE envelope. - ./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g attestation.intoto.jsonl - echo "::set-output name=attestation-name::attestation.intoto.jsonl" + attestation_name="attestation.intoto.jsonl" + ./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g $attestation_name + attestation_sha256=$(sha256sum $attestation_name | awk '{print $1}') + echo "::set-output name=attestation-name::$attestation_name" + echo "::set-output name=attestation-sha256::$attestation_sha256" - name: Upload the signed provenance uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 @@ -143,3 +156,40 @@ jobs: path: "${{ steps.sign-prov.outputs.attestation-name }}" if-no-files-found: error retention-days: 5 + + # create-release creates a release and uploads provenance to the release if + # `upload-to-release` is true. + create-release: + outputs: + release-id: ${{ steps.release.outputs.id }} + runs-on: ubuntu-latest + needs: [generator] + permissions: + contents: write + if: startsWith(github.ref, 'refs/tags/') && inputs.upload-to-release == true + steps: + # Verify provenance hash. + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 + with: + name: ${{ needs.generator.outputs.attestation-name }} + - name: Verify provenance hash + env: + UNTRUSTED_PROVENANCE_NAME: "${{ needs.generator.outputs.attestation-name }}" + UNTRUSTED_PROVENANCE_HASH: "${{ needs.generator.outputs.attestation-sha256 }}" + run: | + set -euo pipefail + + echo "hash of provenance $UNTRUSTED_PROVENANCE_NAME should be $UNTRUSTED_PROVENANCE_HASH" + + COMPUTED_HASH=$(sha256sum "$UNTRUSTED_PROVENANCE_NAME" | awk '{print $1}') + echo "provenance hash computed is $COMPUTED_HASH" + + # Compare hashes. Explicit exit to be safe. + echo "$UNTRUSTED_PROVENANCE_HASH $UNTRUSTED_PROVENANCE_NAME" | sha256sum --strict --check --status || exit -2 + + - name: Release + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14 + id: release + with: + files: | + ${{ needs.generator.outputs.attestation-name }}